From e73a717dbda1d357f64d02e3f187108637a57fe1 Mon Sep 17 00:00:00 2001
From: Troy Grunt <github@troy-grunt.de>
Date: Mon, 2 Feb 2026 23:11:41 +0100
Subject: [PATCH] =?UTF-8?q?Verbessere=20die=20Anmeldefunktionalit=C3=A4t:?=
 =?UTF-8?q?=20Aktualisiere=20Sicherheits=C3=BCberpr=C3=BCfungen,=20verbess?=
 =?UTF-8?q?ere=20die=20Benutzeroberfl=C3=A4che=20und=20implementiere=20UUI?=
 =?UTF-8?q?D-Management=20f=C3=BCr=20Identit=C3=A4ten.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 db/init/001_schema.sql |   2 +
 www/admin.php          | 497 +++++++++++++++++++++++++++++------------
 2 files changed, 359 insertions(+), 140 deletions(-)

diff --git a/db/init/001_schema.sql b/db/init/001_schema.sql
index 662e4da..973f710 100644
--- a/db/init/001_schema.sql
+++ b/db/init/001_schema.sql
@@ -1,6 +1,7 @@
 -- Identitäten
 CREATE TABLE identities (
     id INT AUTO_INCREMENT PRIMARY KEY,
+    name VARCHAR(255) NOT NULL,
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 ) ENGINE=InnoDB;
 
@@ -8,6 +9,7 @@ CREATE TABLE identities (
 CREATE TABLE identity_fields (
     id INT AUTO_INCREMENT PRIMARY KEY,
     identity_id INT NOT NULL,
+    typ ENUM('single','multi','file') NULL,
     field_key VARCHAR(50) NOT NULL,
     field_value TEXT NOT NULL,
     FOREIGN KEY (identity_id)
diff --git a/www/admin.php b/www/admin.php
index 2215f93..486af47 100644
--- a/www/admin.php
+++ b/www/admin.php
@@ -4,118 +4,340 @@ require '_func.php';
 require '_user.php';
 
 session_start();
-
 $ip = $_SERVER['REMOTE_ADDR'];
 
+/* ─────────────────────────────
+   Security
+───────────────────────────── */
 if (isIpLocked($ip, $sql)) {
     http_response_code(403);
-    exit('Zu viele Fehlversuche. IP für 1 Stunde gesperrt.');
+    exit('Zu viele Fehlversuche.');
 }
 
+/* ─────────────────────────────
+   Login
+───────────────────────────── */
 if (!($_SESSION['is_admin'] ?? false)) {
+
     if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-        $user = $_POST['username'] ?? '';
-        $pass = $_POST['password'] ?? '';
+        $u = $_POST['username'] ?? '';
+        $p = $_POST['password'] ?? '';
 
         if (
-            $user !== $admin_user ||
-            $pass !== $admin_password
+            $u !== $admin_user ||
+            $p !== $admin_password
         ) {
             registerFailedLogin($ip, $sql);
-            $error = 'Ungültige Zugangsdaten';
+            $error = 'Login fehlgeschlagen';
         } else {
             clearLoginAttempts($ip, $sql);
             $_SESSION['is_admin'] = true;
             header('Location: admin.php');
             exit;
         }
-
-        if (!$admin || !password_verify($pass, $admin['password_hash'])) {
-            registerFailedLogin($ip, $sql);
-            $error = 'Ungültige Zugangsdaten';
-        } else {
-            clearLoginAttempts($ip, $sql);
-            $_SESSION['is_admin'] = true;
-            $_SESSION['admin_id'] = $admin['id'];
-            header('Location: admin.php');
-            exit;
-        }
     }
-
-    // 🔑 Login-Formular
     ?>
-    <!doctype html>
-    <html lang="de">
-    <head>
-        <meta charset="utf-8">
-        <title>Admin Login</title>
-        <style>
-            body { font-family: sans-serif; background:#0f172a; color:#e5e7eb; display:flex; height:100vh; align-items:center; justify-content:center; }
-            form { background:#020617; padding:2rem; border-radius:12px; width:300px; }
-            input, button { width:100%; padding:.6rem; margin-top:.75rem; }
-            button { background:#38bdf8; border:0; cursor:pointer; }
-            .err { color:#f87171; margin-top:.5rem; }
-        </style>
-    </head>
-    <body>
-        <form method="post">
-            <h2>Admin Login</h2>
-            <input name="username" placeholder="Benutzername" required>
-            <input name="password" type="password" placeholder="Passwort" required>
-            <button>Login</button>
-            <?php if (!empty($error)): ?>
-                <div class="err"><?= htmlspecialchars($error) ?></div>
-            <?php endif; ?>
-        </form>
-    </body>
-    </html>
-    <?php
-    exit;
+<!doctype html>
+<html lang="de">
+<head>
+<meta charset="utf-8">
+<title>Admin Login</title>
+<style>
+body {
+    font-family: system-ui, sans-serif;
+    background:#0f172a;
+    color:#e5e7eb;
+    display:flex;
+    justify-content:center;
+    align-items:center;
+    height:100vh;
+}
+form {
+    background:#020617;
+    padding:2rem;
+    border-radius:12px;
+    width:320px;
+}
+input,button {
+    width:100%;
+    padding:.6rem;
+    margin-top:.75rem;
+}
+button {
+    background:#38bdf8;
+    border:0;
+    cursor:pointer;
+}
+.err { color:#f87171; margin-top:.5rem; }
+</style>
+</head>
+<body>
+<form method="post">
+    <h2>Admin Login</h2>
+    <input name="username" placeholder="Benutzername" required>
+    <input name="password" type="password" placeholder="Passwort" required>
+    <button>Login</button>
+    <?php if (!empty($error)): ?>
+        <div class="err"><?= htmlspecialchars($error) ?></div>
+    <?php endif; ?>
+</form>
+</body>
+</html>
+<?php
+exit;
 }
 
-$uuid = $_GET['uuid'] ?? null;
+/* ─────────────────────────────
+   Action Routing
+───────────────────────────── */
+$action = $_GET['action'] ?? null;
 
-if ($uuid) {
+/* ─────────────────────────────
+   UUID DIRECT ACCESS (?uuid=...)
+   Create flow if missing
+───────────────────────────── */
+if (!$action && isset($_GET['uuid'])) {
+    $uuid = $_GET['uuid'];
+
+    // Prüfen ob UUID existiert
     $token = $sql->single(
         "SELECT * FROM access_tokens WHERE uuid = ?",
         "s",
         [$uuid]
     );
 
-    if (!$token) {
-        $sql->set(
-            "INSERT INTO access_tokens (identity_id, uuid)
-             VALUES (1, ?)",
-            "s",
-            [$uuid]
-        );
+    if ($token) {
+        // UUID existiert → weiter zum edit-Formular
+        $action = 'uuid_edit';
+        $_GET['uuid'] = $uuid;
+    } else {
+        // UUID existiert nicht → Initial-Form
+        $action = 'uuid_create_initial';
+        $_GET['uuid'] = $uuid;
+    }
+}
 
-        $token = $sql->single(
-            "SELECT * FROM access_tokens WHERE uuid = ?",
-            "s",
-            [$uuid]
-        );
+/* ─────────────────────────────
+   CREATE IDENTITY
+───────────────────────────── */
+if ($action === 'identity_create') {
+
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $name = trim($_POST['name'] ?? '');
+
+        if ($name !== '') {
+            $sql->set(
+                "INSERT INTO identities (name) VALUES (?)",
+                "s",
+                [$name]
+            );
+            header('Location: admin.php');
+            exit;
+        }
+    }
+    ?>
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Identität anlegen</title></head>
+<body>
+<h1>Neue Identität</h1>
+<form method="post">
+    <input name="name" placeholder="Name der Identität" required>
+    <button>Speichern</button>
+</form>
+<p><a href="admin.php">← zurück</a></p>
+</body></html>
+<?php
+exit;
+}
+
+/* ─────────────────────────────
+   INITIAL UUID CREATION
+───────────────────────────── */
+if ($action === 'uuid_create_initial') {
+
+    $uuid = $_GET['uuid'];
+
+    // Alle Identitäten für Auswahl
+    $identities = $sql->get("SELECT * FROM identities ORDER BY name ASC");
+
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $identityId = (int)($_POST['identity_id'] ?? 0);
+        $notes      = trim($_POST['notes'] ?? '');
+
+        if (!$identityId) {
+            $error = 'Bitte eine Identität auswählen.';
+        } else {
+            // UUID anlegen
+            $sql->set(
+                "INSERT INTO access_tokens (identity_id, uuid, notes) VALUES (?, ?, ?)",
+                "iss",
+                [$identityId, $uuid, $notes]
+            );
+
+            // Weiterleiten zum Bearbeitungsformular
+            header("Location: admin.php?action=uuid_edit&uuid=$uuid");
+            exit;
+        }
+    }
+
+    ?>
+<!doctype html>
+<html>
+<head><meta charset="utf-8"><title>Neue UUID anlegen</title></head>
+<body>
+<h1>Neue UUID anlegen</h1>
+
+<form method="post">
+    <label>Identität auswählen:
+        <select name="identity_id" required>
+            <option value="">-- bitte wählen --</option>
+            <?php foreach ($identities as $i): ?>
+                <option value="<?= $i['id'] ?>"><?= htmlspecialchars($i['name']) ?></option>
+            <?php endforeach; ?>
+        </select>
+    </label>
+    <br><br>
+    <label>Notiz (optional):<br>
+        <textarea name="notes" rows="3"></textarea>
+    </label>
+    <br><br>
+    <button>Speichern</button>
+</form>
+
+<?php if (!empty($error)): ?>
+<p style="color:red"><?= htmlspecialchars($error) ?></p>
+<?php endif; ?>
+
+<p><a href="admin.php">← zurück zum Dashboard</a></p>
+</body>
+</html>
+<?php
+exit;
+}
+
+/* ─────────────────────────────
+   EDIT IDENTITY
+───────────────────────────── */
+if ($action === 'identity_edit') {
+
+    $id = (int)($_GET['id'] ?? 0);
+
+    $identity = $sql->single(
+        "SELECT * FROM identities WHERE id = ?",
+        "i",
+        [$id]
+    );
+
+    if (!$identity) {
+        exit('Identität nicht gefunden');
     }
 
     if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-        $issuedTo = $_POST['issued_to'] ?? '';
-        $fields   = $_POST['fields'] ?? [];
 
-        // Notiz speichern
-        $sql->set(
-            "UPDATE access_tokens SET notes = ? WHERE id = ?",
-            "si",
-            [$issuedTo, $token['id']]
-        );
+        if (isset($_POST['rename'])) {
+            $sql->set(
+                "UPDATE identities SET name = ? WHERE id = ?",
+                "si",
+                [trim($_POST['name']), $id]
+            );
+        }
+
+        if (isset($_POST['add_field'])) {
+            $sql->set(
+                "INSERT INTO identity_fields (identity_id, field_key, field_value)
+                 VALUES (?, ?, ?)",
+                "iss",
+                [$id, trim($_POST['key']), trim($_POST['value'])]
+            );
+            //TODO typ
+        }
+
+        header("Location: admin.php?action=identity_edit&id=$id");
+        exit;
+    }
+
+    $fields = $sql->get(
+        "SELECT * FROM identity_fields WHERE identity_id = ?",
+        "i",
+        [$id]
+    );
+    ?>
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Identität bearbeiten</title></head>
+<body>
+<h1><?= htmlspecialchars($identity['name']) ?></h1>
+
+<form method="post">
+    <input name="name" value="<?= htmlspecialchars($identity['name']) ?>">
+    <button name="rename">Umbenennen</button>
+</form>
+
+<h2>Felder</h2>
+<ul>
+<?php foreach ($fields as $f): ?>
+<li>
+<strong><?= htmlspecialchars($f['field_key']) ?>:</strong>
+<?= htmlspecialchars($f['field_value']) ?>
+</li>
+<?php endforeach; ?>
+</ul>
+
+<form method="post">
+    <input name="key" placeholder="Feldname" required>
+    <input name="value" placeholder="Wert" required>
+    <button name="add_field">➕ Feld hinzufügen</button>
+</form>
+
+<p><a href="admin.php">← zurück</a></p>
+</body></html>
+<?php
+exit;
+}
+
+/* ─────────────────────────────
+   CREATE UUID
+───────────────────────────── */
+if ($action === 'uuid_create') {
+
+    $identityId = (int)($_GET['identity_id'] ?? 0);
+
+    $uuid = uuid_create(UUID_TYPE_RANDOM);
+
+    $sql->set(
+        "INSERT INTO access_tokens (identity_id, uuid)
+         VALUES (?, ?)",
+        "is",
+        [$identityId, $uuid]
+    );
+
+    header("Location: admin.php?action=uuid_edit&uuid=$uuid");
+    exit;
+}
+
+/* ─────────────────────────────
+   EDIT UUID
+───────────────────────────── */
+if ($action === 'uuid_edit') {
+
+    $uuid = $_GET['uuid'] ?? '';
+
+    $token = $sql->single(
+        "SELECT * FROM access_tokens WHERE uuid = ?",
+        "s",
+        [$uuid]
+    );
+
+    if (!$token) exit('UUID nicht gefunden');
+
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 
-        // Rechte neu setzen
         $sql->set(
             "DELETE FROM token_permissions WHERE token_id = ?",
             "i",
             [$token['id']]
         );
 
-        foreach ($fields as $key) {
+        foreach ($_POST['fields'] ?? [] as $key) {
             $sql->set(
                 "INSERT INTO token_permissions (token_id, field_key)
                  VALUES (?, ?)",
@@ -124,96 +346,91 @@ if ($uuid) {
             );
         }
 
-        $saved = true;
+        $sql->set(
+            "UPDATE access_tokens SET notes = ? WHERE id = ?",
+            "si",
+            [trim($_POST['notes']), $token['id']]
+        );
     }
 
-    // Alle Felder der Identität
-    $allFields = $sql->get(
-        "SELECT DISTINCT field_key FROM identity_fields WHERE identity_id = ?",
+    // Alle Felder der zugehörigen Identität
+    $fields = $sql->get(
+        "SELECT field_key, field_value FROM identity_fields WHERE identity_id = ?",
         "i",
         [$token['identity_id']]
     );
 
-    // Aktive Rechte
-    $allowed = $sql->get(
-        "SELECT field_key FROM token_permissions WHERE token_id = ?",
-        "i",
-        [$token['id']]
+    // Welche Felder aktuell für diesen Token erlaubt sind
+    $allowed = array_column(
+        $sql->get(
+            "SELECT field_key FROM token_permissions WHERE token_id = ?",
+            "i",
+            [$token['id']]
+        ),
+        'field_key'
     );
 
-    $allowedKeys = array_column($allowed, 'field_key');
+    // Name der Identität
+    $identity = $sql->single(
+        "SELECT name FROM identities WHERE id = ?",
+        "i",
+        [$token['identity_id']]
+    );
     ?>
-    <!doctype html>
-    <html lang="de">
-    <head>
-        <meta charset="utf-8">
-        <title>UUID bearbeiten</title>
-    </head>
-    <body>
-        <h1>UUID verwalten</h1>
-        <p><strong><?= htmlspecialchars($uuid) ?></strong></p>
+<!doctype html>
+<html><head><meta charset="utf-8"><title>UUID bearbeiten</title></head>
+<body>
+<h1>UUID bearbeiten</h1>
+<p><strong>UUID:</strong> <code><?= htmlspecialchars($uuid) ?></code></p>
+<p><strong>Identität:</strong> <?= htmlspecialchars($identity['name']) ?></p>
 
-        <?php if (!empty($saved)) echo '<p>Gespeichert ✔</p>'; ?>
+<form method="post">
+<h3>Sichtbare Felder</h3>
+<?php foreach ($fields as $f): ?>
+<label>
+<input type="checkbox" name="fields[]"
+       value="<?= htmlspecialchars($f['field_key']) ?>"
+       <?= in_array($f['field_key'], $allowed) ? 'checked' : '' ?>>
+<?= htmlspecialchars($f['field_key']) ?>:
+<em><?= htmlspecialchars($f['field_value']) ?></em>
+</label><br>
+<?php endforeach; ?>
 
-        <form method="post">
-            <h3>Sichtbare Informationen</h3>
+<h3>Notiz</h3>
+<textarea name="notes" rows="4"><?= htmlspecialchars($token['notes']) ?></textarea>
+<br>
+<button>Speichern</button>
+</form>
 
-            <?php foreach ($allFields as $f): ?>
-                <label>
-                    <input type="checkbox" name="fields[]" value="<?= htmlspecialchars($f['field_key']) ?>"
-                        <?= in_array($f['field_key'], $allowedKeys) ? 'checked' : '' ?>>
-                    <?= htmlspecialchars($f['field_key']) ?>
-                </label><br>
-            <?php endforeach; ?>
-
-            <h3>Ausgegeben an</h3>
-            <textarea name="issued_to" rows="4" cols="40"><?= htmlspecialchars($token['notes']) ?></textarea>
-
-            <br><br>
-            <button>Speichern</button>
-        </form>
-
-        <p><a href="admin.php">← Zurück</a></p>
-    </body>
-    </html>
-    <?php
-    exit;
+<p><a href="admin.php">← zurück</a></p>
+</body></html>
+<?php
+exit;
 }
 
-/**
- * 📊 ADMIN DASHBOARD
- */
+/* ─────────────────────────────
+   DASHBOARD
+───────────────────────────── */
 $identities = $sql->get("SELECT * FROM identities ORDER BY id DESC");
-$tokens     = $sql->get("SELECT * FROM access_tokens ORDER BY created_at DESC");
-
 ?>
 <!doctype html>
 <html lang="de">
-<head>
-    <meta charset="utf-8">
-    <title>Admin Dashboard</title>
-</head>
+<head><meta charset="utf-8"><title>Admin</title></head>
 <body>
-    <h1>Admin Dashboard</h1>
 
-    <h2>Identitäten</h2>
-    <ul>
-        <?php foreach ($identities as $i): ?>
-            <li>ID <?= $i['id'] ?></li>
-        <?php endforeach; ?>
-    </ul>
+<h1>Admin Dashboard</h1>
 
-    <h2>UUIDs</h2>
-    <ul>
-        <?php foreach ($tokens as $t): ?>
-            <li>
-                <a href="admin.php?uuid=<?= htmlspecialchars($t['uuid']) ?>">
-                    <?= htmlspecialchars($t['uuid']) ?>
-                </a>
-            </li>
-        <?php endforeach; ?>
-    </ul>
+<p><a href="admin.php?action=identity_create">➕ Identität anlegen</a></p>
 
-    <p><a href="logout.php">Logout</a></p>
+<ul>
+<?php foreach ($identities as $i): ?>
+<li>
+<strong><?= htmlspecialchars($i['name']) ?></strong>
+– <a href="admin.php?action=identity_edit&id=<?= $i['id'] ?>">bearbeiten</a>
+</li>
+<?php endforeach; ?>
+</ul>
+
+<p><a href="logout.php">Logout</a></p>
 </body>
 </html>